[Samba] Problems with idmap_adex module

Ross McKerchar Ross.McKerchar at sophos.com
Thu Mar 26 10:15:28 GMT 2009 

Hi Guys,

I'm having problems getting the new idmap_adex module to work.

When using the idmap_adex plugin I get the following:

# wbinfo -n administrator
S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500 User (1)
# wbinfo -i administrator
Could not get info for user administrator

As expected attempting to lookup user & group info via commands which use libnss also fail.

The "administrator" account is setup with all the necessary rfc2307 attributes and works fine with the idmap_ad plugin. The uidNumber, gidNumber, and uid attributes have been added to the forests partial attribute set, as recommended by then idmap_adex man page.

Idmap log throws up a couple of interesting lines (full log below):
1) "NT_STATUS_NO_LOGON_SERVERS"; although wbinfo --online-status says domain is online and name to sid lookups work ok.
2) "could not find idmap alloc module adex"; idmap module is installed at /usr/lib/samba/idmap/adex.so, ad.so is in the same folder.

Domain & forest functional level are both Windows Server 2003. Running Samba/Winbind 3.3.1 on RHEL5, built from Fedora rawhide SRPM.

Here is my smb.conf
[global]
        workgroup = LOCAL
        disable netbios = yes
        log file = /var/log/samba/%m.log
        max log size = 50
        ldap timeout = 10
        realm = LOCAL.DOM
        ldap ssl = off
        security = ads
        winbind use default domain = true
        log level = idmap:10
        winbind offline logon = true
        winbind enum groups = no
        winbind enum users = no
        use kerberos keytab = yes
        winbind refresh tickets = true
        template homedir = /home/%U
        idmap backend = adex
        idmap uid = 100-4000000000
        idmap gid = 100-4000000000
        winbind nss info = adex
        winbind normalize names = yes

And here is log-winbindd-idmap at debug level 10:

[2009/03/26 09:12:45, 10] winbindd/idmap_util.c:idmap_sid_to_uid(143)
  idmap_sid_to_uid: sid = [S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500], domain = ''
[2009/03/26 09:12:45, 10] winbindd/idmap.c:idmap_backends_sid_to_unixid(763)
  idmap_backend_sid_to_unixid: domain = '', sid = [S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500]
[2009/03/26 09:12:45, 10] winbindd/idmap.c:idmap_find_domain(465)
  idmap_find_domain called for domain ''
[2009/03/26 09:12:45, 10] winbindd/idmap.c:idmap_init_default_domain(349)
  idmap_init_default_domain: calling static_init_idmap
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap_alloc(218)
  Successfully added idmap alloc backend 'ldap'
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'ldap'
[2009/03/26 09:12:45, 10] winbindd/idmap_tdb.c:idmap_tdb_init(1192)
  calling idmap_tdb_init
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap_alloc(218)
  Successfully added idmap alloc backend 'tdb'
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'tdb'
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'passdb'
[2009/03/26 09:12:45,  5] winbindd/idmap.c:smb_register_idmap(169)
  Successfully added idmap backend 'nss'
[2009/03/26 09:12:45,  3] winbindd/idmap.c:idmap_init_default_domain(359)
  idmap_init: using 'adex' as remote backend
[2009/03/26 09:12:45, 10] winbindd/idmap_adex/likewise_cell.c:cell_do_search(382)
  cell_do_search: Base = ,  Filter = (objectSid=\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX\XX), Scope = 2, GC = yes
[2009/03/26 09:12:45, 10] winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(339)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45,  1] winbindd/idmap_adex/likewise_cell.c:cell_connect_dn(346)
  LWI: Failled to connect to cell "dc=LOCAL,dc=DOM" (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45, 10] winbindd/idmap_adex/domain_util.c:dc_search_domains(243)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45, 10] winbindd/idmap_adex/provider_unified.c:search_domain(254)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45,  4] winbindd/idmap_adex/provider_unified.c:search_domain(270)
  LWI (search_domain): NT_STATUS_NO_LOGON_SERVERS
[2009/03/26 09:12:45, 10] winbindd/idmap_adex/provider_unified.c:search_forest(523)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45,  4] winbindd/idmap_adex/provider_unified.c:search_forest(531)
  LWI (search_forest): NT_STATUS_NO_LOGON_SERVERS
[2009/03/26 09:12:45,  3] winbindd/idmap_adex/provider_unified.c:search_cell_list(599)
  LWI (search_cell_list): NT_STATUS_NO_LOGON_SERVERS
[2009/03/26 09:12:45, 10] winbindd/idmap_adex/provider_unified.c:_ccp_get_id_from_sid(1003)
  Failed! (NT_STATUS_NO_LOGON_SERVERS)
[2009/03/26 09:12:45, 10] winbindd/idmap.c:idmap_find_domain(465)
  idmap_find_domain called for domain 'NULL'
[2009/03/26 09:12:45,  1] winbindd/idmap.c:idmap_alloc_init(578)
  could not find idmap alloc module adex
[2009/03/26 09:12:45,  3] winbindd/idmap.c:idmap_new_mapping(693)
  Could not allocate id: NT_STATUS_INVALID_PARAMETER
[2009/03/26 09:12:45, 10] winbindd/idmap_util.c:idmap_sid_to_uid(193)
  idmap_new_mapping failed: NT_STATUS_INVALID_PARAMETER

Any help would be appreciated.

-ross

Ross McKerchar
Senior Systems Engineer 1

email: ross.mckerchar at sophos.com

Sophos - simply secure



Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.

More information about the samba mailing list